Design Flaws, Besides Vulnerabilities, Hurt Banking Sites

By Jeremy Kirk

Wed, July 23, 2008 — IDG News Service —

Banking Web sites suffer from design flaws that undermine their security, exclusive of software vulnerabilities, according to a University of Michigan study to be released Friday.

Of 214 sites surveyed in 2006, more than 75 percent had at least one design flaw that could lead to a security problem, the university said. The flow and layout of the sites can make those sites riskier, and the problems can't be fixed with a patch unlike a software vulnerability.

A few of the study's findings were released on Tuesday by the university. The full findings will be presented at the Symposium on Usable Privacy and Security meeting Friday at Carnegie Mellon University in Pittsburgh.

The study was undertaken by Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science, and two doctoral students, Laura Falk and Kevin Borders. Prakash began investigating after noticing problems with the Web site of his own bank, the university said.

Although the research was done in 2006, many of the problems still affect financial sites. One of the core troubles is an underutilization of SSL (Secure Sockets Layer) encryption technology on Web pages.

The study found that 47 percent of banks didn't use SSL on login pages, which could open the door for a hacker to reroute data to their own PC. Not using SSL also makes it easier for a man-in-the-middle attack, where the victim's data passes through an attacker's PC before it's routed to the bank's server.

Another pervasive problem affecting 55 percent of institutions is placing contact information and security advice on insecure pages. A hacker could conceivably break into the Web site and change the customer service phone number to direct banking customers to a fictitious call center. Again, SSL is the remedy.

The researchers found 30 percent of sites would redirect users to other Web sites, which can skew how a person is supposed to evaluate risk, the study said.

Since a bank site is trusted, the site it links to will likely not be considered a security risk even if it may be. Bank should put all their Web pages on the same server, but some have outsourced security features that are hosted on other domains.

Weak user IDs and passwords continue to be troublesome, with 28 percent of banks either lacking password guidelines or allowing weak ones. Institutions will also e-mail passwords or statements, which is also risky, the study said.

$firstKeyword
Loading...
Security MarketSpace
How to Develop Your Strategy for Business and Compliance
This whitepaper will provide guidance on developing a strategic approach to managing and monitoring logs that enables more efficient compliance with regulatory mandates and more effective defense against security threats. Learn more »
A Hidden Benefit of Desktop Virtualization?
This IDG eZine explores the many user benefits of desktop virtualization. Learn more »
Assess Your Data Loss Exposure
Secure and compliant collaboration and access.
The paper then describes how IBM offers an adaptable, business-driven, holistic approach to security that addresses the different risk domains across organizations. Learn more »
Develop Effective User Management
With IBM, organizations can develop comprehensive solutions to help gain visibility into business continuity risks, achieve control over utilization of sensitive business assets and automate a variety of processes for managing access to critical assets and data. Learn more »
Enhance and Secure Critical Business Operations
Learn how to help mitigate enterprise security risks by leveraging IBM solutions to drive business innovation and success, while reducing complexity and costs along the way. Learn more »
Escaping PCI Purgatory
Read this white paper as IBM reveals five key 'sticking points' organizations have been facing on the path to PCI DSS compliance. Learn more »
Increase E-Discovery Efficiencies
Adopt a hybrid approach of in-house discovery, combined with expert services. Learn more »
 
SPONSORED LINKS
 

Simplifying Risk Management: Is Your Company Measuring Up?

Let Progress Software help your business make progress.

Register for more Windows Enterprise Webcasts today.

Entrust IdentityGuard  Strong Authentication for your Enterprise

Supercharge Your End Users with Desktop Virtualization

Take the Netezza TwinFin TestDrive!

Best Practices to Reduce IT Operational Costs

Maximizing efficiencies with unified communications.

Taking the Service Desk to the Next Level

Midsized company CIOs and experts connect at infoBOOM!

Core" i5 vPro" Processor: Control meets cost savings in the most intelligent PC processors ever!

Article: The Dynamic Virtual Client offers thin client advantages with rich client user experience & mobility.

Manage limitless content todayread EMCs 15-minute guide to ECM.

HP Exstream. Get a Free Document Assessment for Financial Services.

Webinar: Jump-start your in-house e-discovery with Ringtail QuickCull from FTI Technology

See why ShoreTel is named best overall VoIP provider by Nemertes Research

Turn your desk phone and mobile phone into one with Sprint Mobile Integration.

Stay informed with custom newsletters from Tech Dispenser

How Healthcare CIOs Achieve a High-Performance Emergency Department

Webcast: Solve Your Data Visualization Needs with Open Source BI

Webcast: Delivering the Enterprise-Ready Cloud

Ensure cost effective application delivery. Learn More.

Cloud Computing: The Impact CIOs See

Enterprise Capture: Your Onramp to Business Process Automation

Unlocking the Mainframe: Modernizing Legacy System to SOA

Trend Micro ranked #1 against real-world malware. Read more.

Google Webinar: Why Cloud-Based Security and Archiving Make Sense

HP pays back. Trade in your old printer and get up to $1000

Counting Up the End User Benefits of Desktop Virtualization

Build a smart, practical path to the internal cloud.

Verint Systems. Discover the Power of Intelligence in Action"

Efficiency goes up. Costs come down.

Achieving Business Agility with Application Grid

Seven Ways ITIL Can Help You in an Economic Downturn

Read report on how to improve decision making with business analytics.

Dynamic Virtual Client: Whats in store for client technology going forward?

The ISP that focuses exclusively on information security? SecureWorks.

Does your IDS really work? Find out with a free Endace Audit

CA ARCserve r12.5 is More Than Backup! Download Trial Version Today

Enterprise search helps employees get more done. Get the facts from Google.

Real-world testing ranks Trend Micro #1 against malware. See results.

Dark Fiber from Sunesys Save on Unlimited Bandwidth with Fixed Costs.

Trend Micro ranked #1 against real-world malware. Read more.

Selecting the Right Reporting Technology

An IT Leadership Action Plan for the Economic Recovery

Consolidate data centers and lower IT service costs. Learn How.

WAN optimization techniques significantly improve application performance. Read More.

The Revolution and Evolution of Private Cloud Computing

What's New in SOA Suite 11g?

Unleash the Power of Java with Oracle JRockit Real Time

 
 
RESOURCE CENTER
 
buy a link »
Ads by TechWords